Cloud computing and PCI compliance.

In this post we shall briefly discuss the PCI compliance regulations and how they affect people looking to use cloud computing services. The PCI DSS is a standard that affects most businesses in one way or another and as such is important when considering cloud computing solutions. If your business deals with credit card transactions then you are affected by PCI compliance issues.

The PCI Data Security Standard (PCI DSS) is according to the PCI’s website:

The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

The PCI DSS is designed to protect cunsumers from having their credit card (and other) details compromised. For businesses the PCI DSS is a collection of hoops that must be jumped through. It is complex to comply with the standard, and the UK has been reported to be slipping behind in PCI compliance. And it is not just in the UK, Ireland has had reported issues too.

So how does this affect cloud computing?

Well if we look at the requirements for PCI compliance we have:

• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain a policy that addresses information security
  (source: Evolution Systems)

If you are using Amazon EC2, can you say how secure network? If your data is stored on SalesForce.com can you test their networks? If you are using PayPal to do transactions is the cardholder data protected? The answer to all of these questions is “maybe“. And maybe you don’t need to worry, if you’ve outsourced everything to cloud services, then a network scan may be a walk in the park. However, it is a complex and confusing area. If you have a quick google you will quickly find business forums where people talk about failing their Annual PCI compliance audit for a variety of (often seemingly bizarre) reasons.

In fact, a common area of failing is the security of web servers handling credit card transactions. This is often most easily remedied by using a “cloud” service. In other words, delegating the actual credit card transaction to a third party, such as WorldPay, ProtX, etc. Interestingly in a discussion at OpenWeb Southampton just last night this topic came up and there was a good discussion about various services including Actinic, PayPal and FoxyCart. The reality is that the answer is always “yes and no” and there is, as with all cloud computing an amount of trust and contractual obligation to deal with.

Cloud providers are offering PCI compliant solutions, for example Terremark Worldwide describes its Enterprise Cloud platform
as “certified as PCI DSS Compliant,” and Savvis offers a version of its  platform,
customized for online retailers that includes PCI solutions(source: Rich Miller). Services like CohesiveFT’s VPN-cubed service may also play an important part in the equation.

In short, PCI compliance and the cloud is in our opinion possible.
Although it would/will rely on a web of trust and contractual obligations for it to work. As the cloud computing market matures and providers settle into their businesses, they will need to make it clearer as to if they are able to provide PCI DSS compliant services. For now, the best bet is to talk to them and ask if they can pass the regulations and offer you a PCI compliant service via contract. You are also well advised to contact someone experienced in PCI DSS issues if you are about to embark on a project.